06-11-2014 12:01 PM
I have three networks at work, 172.31.101.0, 172.31.102.0, and 172.31.103.0
172.31.101.0 is where all of my servers reside.
I have IP Cameras at all three site. When I use cisco anyconnect to start a VPN session I am only able to see the cameras on the 172.31.101.0 network.
I am pretty new to this but it seems like I am missing some routes somewhere.
Thanks for your help.
Mike
06-11-2014 12:35 PM
Do your two remote sites connect to the main site via site-site VPN in the same firewall as your remote access VPN? If so, what you're trying to do is known as "hairpinning" and the VPNs need to be setup to allow it.
Basically you need to make sure the networks are allowed in the routes pushed to the client, allow traffic to go back out the same interface it enters on, add the remote access client subnet to the remote net in the access-list for the site-site VPN and make sure it's exempted from NAT.
There are many articles around detailing how to set this up. One I think is particularly well done is over at packetu.com (link).
Hope this helps.
06-11-2014 01:18 PM
Yes,
All three sites are connected via an MPLS.
I will review the link and post back. Right now I am having issues with ASDM. I think it's a Java problem though...joy
06-11-2014 03:33 PM
If the sites are connected via MPLS (and not a site-site VPN that also terminates on the ASA) then more simple routing is most likely your issue.
You can check the routes you're getting while on VPN by opening the AnyConnect GUI and clicking the settings (gear) icon and then looking at VPN, Route Details. You'll need to be getting either a default route (i.e. no split tunnel) or a specified route (or routes) that includes the target subnets.
If that looks good then it's probably routing across the MPLS cloud failing to advertise your address pool for the VPN clients.
06-12-2014 08:59 AM
Thank you,
Can you give more detail on where I would look within the ASDM GUI.
Thanks
Mike
06-12-2014 01:36 PM
I had mentioned the AnyConnect GUI, i.e. - see screenshot below.
Those routes are configured in ASDM via "Configuration > Remote Access VPN > Anyconnect Connection Profiles" Check which group policy your connection profile uses. Then go under that Group Policy and select Edit. Expand the Advanced Menu and examine the Split Tunneling settings. The policy should be "Tunnel Network List Below" and the Network List calls out an access-list that specifies your networks that the VPN can access.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: